Project Permissions Endpoint
Closed this issue · 0 comments
cgalarza commented
This project permissions endpoint will be used to create a form that adds project permissions to a user and a form that adds permissions to a project.
Note: #104 should be merged before you start work on this.
The endpoint should be at:
POST /api/v1/projects/permissions
The request should look something like:
{
"project_permissions": [
{
"project_id": 1,
"user_uid": "2349-4983-3494-9343",
"actions": ["read_objects", "edit_objects"]
},
{
"project_id": 1,
"user_uid": "1111-4983-3494-9343",
"actions": ["read_objects"]
},
]
}
One way to implement this would be that for each combination of project_id and user_id all the project permissions should be found and deleted. They can then be recreated based on the new information given.
Any user with the ability to 'manage users' should be able to add any permissions. If a user doesn't have that, they have to have 'manage' permission for all the projects they are trying to change.
This was how I started to implement this:
module Api
module V1
module Projects
class PermissionsController < ApplicationApiController
before_action :ensure_json_request
before_action :current_user_permitted?
def batch_update
# TODO
end
private
def batch_update_params
params.permit(permissions: [:project_id, :user_uid, { actions: [] }])
end
def current_user_permitted?
project_ids = batch_update_params[:permissions].map(&:project_id)
can?(:manage, User) || can?(:manage, Project, id: project_ids) # Not sure this check is entirely correct, you may need to check can?(:manage, Project, id: project_ids[1]) for each project.
end
end
end
end
end